Update PAT of Self hosted agent - azure-devops

The user from whose PAT a self hosted agent was configured is leaving the organization.
Once the users leaves the org, his account would be deleted from Azure AD and hence his PAT would be expired.
How should one take over the self hosted agent or update the PAT with other users account?
I was unable to see any MSFT docs w.r.t PAT updates.
Is uninstalling and reinstalling the only option in this scenario?

You do not need to update PAT. Check the documentation: https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/v2-windows?view=azure-devops

Inside the install directory of the agent (in my case it was C:\agent), you will find some files including
config.cmd
run.cmd
You can reconfigure your agent without uninstalling by running config.cmd editing the values and then run the agent again with run.cmd. You will be prompted to provide the PAT and also the agent pool. You can change only the values that you need.

Related

Is it possible to not have an azure pipeline self-hosted agent tied to a user, and use SSH instead?

The title basically sums it up. I am wondering if it is possible to not have a specific user attached to the self-hosted agent (as in no personal access token needed) and instead have SSH authentication for the self-hosted agent.
I am afraid that there is no such method to use SSH key for self-hosted agent.
Refer to this doc: Self-Hosted agent Auth type.
For Azure Pipelines: Choose PAT
For TFS or Azure DevOps Server: Alternate , Integrated ,Negotiate
,PAT.
When you use the verification method to register a self-hosted agent, it needs to obtain personal permission information through the verification method to determine whether the user has the permission to create the agent.
Therefore, the verification method needs to be associated with a single user.

What permissions are needed for the Azure DevOps Deployment Group Agent?

I am trying to install the Azure DevOps Deployment Group Agent as described in
Provision agents for deployment groups.
Step 6 includes the following guidance: When prompted for the user account, press Return to accept the defaults.
However, the default configures the agent to run under the NT AUTHORITY\SYSTEM account, and I'm hesitant to give full access to a process that runs commands it obtained over the web. What are the minimum permissions/roles I need to give an agent so it will function properly?
Please follow this doc: Provision agents for deployment groups to accept the defaults configures the agent to run under the NT AUTHORITY\SYSTEM account, it is required for the agent to run without issues.
If you run it under other accounts/roles, it will fail with unexpected errors as reported here: https://developercommunity.visualstudio.com/t/running-azure-devops-agent-as-domain-account-fails/712546 and https://developercommunity.visualstudio.com/t/running-azure-devops-deployment-group-agent-using/1107600, etc.
In addition, there is a suggestion ticket in Developer community about this requirement. You can vote and follow this ticket. You can also create a new suggestion ticket here. The product group will review these tickets regularly, and consider take it as roadmap.

How do I connect to a secure cluster from YAML pipeline?

That's it. Plain and simple.
The first step in my pipeline is to remove services that are no longer supported. To do that I need to use Connect-ServiceFabricCluster to connect to the cluster. But that requires a certificate installed on the local machine. I won't have a local machine in a hosted pipeline and I have a problem with installing the certificate on the hosted VM for security reasons.
So how do I connect?
1,
Dont know if you tried azure cli sfctl cluster select which allows you to specify a certificate, check here for more information.
In order to use the certificate in your pipeline. You need to go to the Library under Pipelines and click secure files and add your certificate from local. Make sure Authorize for use in all pipelines is checked when adding your certificate.
Then you can add a Download secure file task to download your certificate in your pipeline.
Then you can consume it in your next task by referring to the download location "$(Agent.TempDirectory)\yourcertificatefilename", check here for more information
sfctl cluster select --endpoint https://testsecurecluster.com:19080 --cert "$(Agent.TempDirectory)\yourcertificatefilename" --key ./keyfile.key
2,
If above sfctl cluster select is not working, You can install the certificate which is already uploaded with a powershell task to the hosted agent
Import-Certificate -FilePath ""$(Agent.TempDirectory)\yourcertificatefilename"" -CertStoreLocation cert:\LocalMachine\Root
3,
If the hosted agent has security concern. You can create your own self-hosted agent on your local machine. You can then install the certificate in your on-premises agent.
To create self-hosted agent.
You need to get a PAT and assign the scope to Agent Pool. click here for detailed steps. You will need the PAT to config your self-hosted agent later.
Then go to Project setting, select Agent Pools under Pipelines, Create a self-defined agent pool if you donot have one, Then select your agent pool, click new agent, and follow the steps to create your own agent.
Hope above can be helpful to you!

How do I properly renew my PATs so that my deployment groups do not stop working due to expiration of the PAT?

When does a Deployment Group stop working due to expiration or regeneration of the Personal Access Token (PAT) that it was configured with?
If I regenerate the PAT, do I need to update the deployed agents, e.g. reconfigure them with the new PAT?
What happens if I just edit the PAT, update the Expiration date, but don't do anything else, e.g. do not regenerate the PAT or do any changes at the configured deployment agent? Will it stop it from expiring and the configured deployment agent still work?
We have Azure DevOps pipeline, along with a deployment group configured to install the solution to one server.
We have a service account, which we use have generated a PAT and used that token to configure the Deployment Group.
I have tried to regenerate the token, which gave me a new PAT. I have not tried to configure the server with the new PAT. However, deployments still seem to work just fine hours from regenerating the PAT.
What is the proper way to update the PAT so that it does not expire and my deployment agents do not stop working?
From the official Microsoft docs:
To register an agent, you need to be a member of the administrator
role in the agent pool. The identity of agent pool administrator is
needed only at the time of registration and is not persisted on the
agent, and is not used in any subsequent communication between the
agent and Azure Pipelines or TFS. In addition, you must be a local
administrator on the server in order to configure the agent.
Your
agent can authenticate to Azure Pipelines or TFS using one of the
following methods: Personal Access Token (PAT): Generate and use a PAT
to connect an agent with Azure Pipelines or TFS 2017 and newer. PAT is
the only scheme that works with Azure Pipelines. Also, as explained
above, this PAT is used only at the time of registering the agent, and
not for subsequent communication.
So, if you remove or re-generate the PAT the agents will keep working without any issues.
You can do two things:
You can Edit token and change expiration date, this is the easiest way
You can Regenerate token, this will create new token, and you will have to:
2.1. Write down your agent user capabilites, name, service user account etc.! Because once you remove the configuration this information will be lost
2.2 Remove agent's configuration (in agent's folder), run ".\config.cmd remove"
2.3 Configure agent with new PAT (in agent's folder), run ".\config.cmd"

Is there any way to remove VSTS agent without PAT?

I'm trying to remove a VSTS agent from a system, but I no longer possess the Personal Access Token (PAT) originally used during setup. An answer on this thread states that I can just delete the agent from the VSTS web UI, but I don't see that option besides nuking the entire agent pool (which is not a great option for us).
When I try to run config.cmd remove, these are my results:
PS C:\agent> .\config.cmd remove
Removing agent from the server
Enter authentication type (press enter for PAT) >
Enter personal access token >
Enter personal access token > Exiting...
First, it’s better to remove VSTS agent through config.cmd remove command and the PAT is required, you don’t need to use original PAT, you can apply a new PAT with Agent Pools (read, manage) scope and use it to remove agent.
Secondly, without PAT:
Deleting agent from server:
Deleting agent service in local system through sc command if it is running as service: sc delete [service name].
After that, you can delete the agent files.
Dears, I've another use case; I've been using Azure DevOps on-prem server.
I deleted the agent from the devops server 'Website,' However this's wont help me out when I tried to reinstall the agent it tells me:
Cannot configure the agent because it is already configured. To
reconfigure the agent, run 'config.cmd remove' or './config.sh remove'
first.
However, I've solve it when typing the below:
resolved